In the wake of several media articles highlighting the risky practice of installing Trusted Root Certification Authority (CA) certificates onto users’ devices, ExpressVPN has published a blog post explaining its stance on this controversial issue.
The good news for ExpressVPN is that they have confirmed that they never install Trusted Root CA’s on any user devices.
What are Trusted Root CA certificates?
In case you are unfamiliar with the term Trusted Root CA certificates, it is a certificate that can be installed on your computer and once there will tell your device which certificates from other sources that it can trust.
Any company that installs Trusted Root CA certificates has a great deal of power over your device since it is able to approve the certificates of others and create certificates that are able to pretend to be any other entity you might interact with.
A Trusted Root CA certificate is vital for all internet users’ privacy and security because they ensure that any service or software you use has been created by a legitimate party and is not fake or a spoof created by hackers.
Trusted Root CA certificates validate others so are on the front line of your online security and privacy battle. But you have to place faith in the organisations that create them.
The chances are that your device came with a number of Trusted Root CA certificates preinstalled. As ExpressVPN notes in their blog post, as of April 2022, Mozilla Firefox browser includes Trusted Root CA certificates from no fewer than 54 organizations. These include Amazon, DigiCert, GlobalSign, GoDaddy, Google, Microsoft, and Sectigo (Comodo).
That might sound worrying, but preinstalled Trusted Root CA certificates all have to undergo regular external auditing to ensure they are safe and fit for purpose.
What are the risks of installing Trusted Root CA certificates?
A flawed Trusted Root CA certificate has the potential to undermine your online security and privacy. It has the power to authorize the security of websites you visit, verify software authenticity, and confirm the security and veracity of an encrypted communications channel.
If it fails to do any of that correctly, your online security and privacy could easily be compromised.
It also plays a critical role in protecting the private encryption key that secures these. If that key is compromised, there are a number of further possible security implications, including possibly falling victim to a Man-in-the-Middle attack and authorizing fake or insecure software.
VPNs and Trusted Root CA certificates
Some VPNs have chosen to install Trusted Root CA certificates on user devices. A number of recent media articles have highlighted this practice and named several VPN providers, including Surfshark VPN, Atlas VPN, VyprVPN, and TurboVPN.
These VPN providers may well be offering safe and secure Trusted Root CA certificates. But the question of whether they need to be using them at all is a legitimate one.
For their part, Surfshark VPN told TechRadar that they were phasing out the use of Trusted Root CA certificates as they transition away from the IKEv2 protocol and focus on the OpenVPN and Wireguard protocols. This is good news.
However, ExpressVPN has now categorically stated that it does not use them at all either with or without user approval.
Trusted Root CA certificates can potentially pose a significant security and privacy risk. An example of how they have been misused by a VPN can be found in the case of the infamous Facebook VPN, Onavo.
Onavo secretly installed a Trusted Root CA certificate onto the devices of anyone that downloaded it and used them to monitor user activity. Facebook claimed at the time that this was for ‘research purposes’ but it was seen by most as a gross invasion of user privacy.
Not every VPN, or indeed any other software that uses Trusted Root CA certificates, has malign intentions like this. But, as ExpressVPN rightly point out, it is a question of principle around how much control and power a third-party should have over your devices.
We share the views of security experts that there is no real need for VPN providers to be installing Trusted Root CA certificates onto user devices.
While we will give providers the benefit of the doubt that they don’t have malign intentions in doing so, it is still something of an abuse of trust and places an unnecessary security risk on users.
ExpressVPN has always been one of the most security-conscious of VPN providers and we are in no way surprised that they have distanced themselves from this practice.
They have often set benchmarks which other VPN providers strive to meet and we hope that will be the case on this issue too and those providers that do still use Trusted Root CA certificates will transition away from them as soon as possible.
It is certainly an issue that we will be keeping an eye on in the months ahead and looking at in subsequent reviews.